VIRUS-L Digest Thursday, 14 Nov 1991 Volume 4 : Issue 218 Today's Topics: Re: Hardware? How about software...? Re: F-Prot 2.01 (PC) Re: PC Soft (PC) Re: Organ music/black monitor-Mac (Mac) Re: Only Scan Floppies? (general) SCAN & VSUM questions (PC) DIR-2 found in USA (PC) McAfee84 fails on Stone, Azusa and Joshi? (PC) Re: VShield problem with DOS 5.0 & QEMM? (PC) Re: VSHIELD w/ MODEMS (PC) Re: Problem with Stoned virus and SCAN (PC) Re: Questions about VIRLIST.TXT (PC) Call for Papers - Fifth Annual Computer Virus & Security Conference VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc. Please sign submissions with your real name. Send contributions to VIRUS-L@IBM1.CC.LEHIGH.EDU (that's equivalent to VIRUS-L at LEHIIBM1 for you BITNET folks). Information on accessing anti-virus, documentation, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@CERT.SEI.CMU.EDU. Ken van Wyk ---------------------------------------------------------------------- Date: Mon, 11 Nov 91 18:31:11 +0000 >From: Fridrik Skulason Subject: Re: Hardware? How about software...? In Message 7 Nov 91 04:55:56 GMT, turtle@darkside.com (Fred Waller) writes: > Fascinating. That's exactly how Mark Washburn's SECURE program > works under MS DOS, only I was led to believe here that SECURE > wasn't useful. The usefulness of SECURE is subject to debate. My opinion is however that the simple fact that is written by Mark Washburn is a pretty good reason to ignore the program - as well as all other programs written by known virus authors. - -frisk ------------------------------ Date: Mon, 11 Nov 91 18:46:14 +0000 >From: Fridrik Skulason Subject: Re: F-Prot 2.01 (PC) Instead of just answeing by private mail, I decided to post the answers, hoping they will be of general interest. In Message 7 Nov 91 16:06:37 GMT, MONAT%UOTTAWA@acadvm1.uottawa.ca writes: > >1. I have a lot of clients who work on their stand-alone computer > for quite some time and then decide to access a network. They > load virstop.exe at boot time but then at network time, the load > gets rejected with an "already installed" message. This problem is not solvable with the current version of VIRSTOP. There are some advantages to loading the program from CONFIG.SYS or AUTOEXEC.BAT, but if that is done the program will be disabled if certain network products are run afterwards. (Or for that matter any program which takes over INT 21H, 4BH and does not call the original handler). DesqView, PC-NFS and Novell-Netware are such programs. This is not only a problem for VIRSTOP - all other anti-virus programs that monitor this function and check programs on-the-fly face the same problem. In version 1.16 this was solved by running F-NET.EXE after the network software was loaded. There were som minor compatibility problems, but I think I have them solved now, and a fix should appear in 2.02 - where you can re-run VIRSTOP, and it will simply rehook INT 21. >2. What are we suppose to do with the file virstop.bin? It's exactly > identical to virstop.exe and both can be loaded at boot time. It will be dropped in 2.02. It is only identical to VIRSTOP.EXE in the "English-only" version of F-PROT, but is used as a "skeleton file" in the multi-lingual versions. >3. I would like a new f-test.exe so that I can test if virstop.exe > worksa once installed in memory. Use old F-TEST.COM from 1.16 - it will be stopped if the package is installed correctly. I am writing a replacement program, however - it will (also) appear in 2.02. >4. What's the command line switch to remove virstop.exe from memory? > (It's useful if you want to detach yourself from Novell without > rebooting). There is no such switch. If I had provided one, I would have opened a "loophole" that a virus could exploit to throw remove or disable the program. - -frisk ------------------------------ Date: Mon, 11 Nov 91 19:05:28 +0000 >From: Fridrik Skulason Subject: Re: PC Soft (PC) In Message 7 Nov 91 16:34:15 GMT, CHMCHRIS@vm.uoguelph.ca (Chris Jones) writes: >As a matter of fact, the emulation is good enough that viruses *are* able to >infect and transmit. Yes, but not all PC-viruses - only the "well behaved" ones. In practice this means the same viruses as those which work withour problems in the oldest versions of the DOS-compatibility box under OS/2. Viruses which use undocumented functions, jump directly into DOS or use other nasty tricks will usually not work. - -frisk ------------------------------ Date: 11 Nov 91 06:19:37 +0000 >From: scott@hsvaic.boeing.com (Scott Hinckley) Subject: Re: Organ music/black monitor-Mac (Mac) Fran_Holtsberry@msmailgw.csuchico.edu (Fran Holtsberry) writes: >We have two systems playing organ music and no monitor response. Any >ideas about whether this is a virus or a prank? My first reaction is >that it is a Halloween prank. But it still is debilitating two Macs. Let me guess... You turn on the Mac, here 3 tones, and nothing else happens? If so, it is the dead mac dirge that those 'organs' are playing. Take the machine to service. Read your manual, it talks about the startup diagnostic tones. - -- VoiceNet:Scott Hinckley | ATTnet:+1 205 461 2073 | I heart my VW Internet:scott@hsvaic.boeing.com | UUCP:...!uw-beaver!bcsaic!hsvaic!scott US snail:110 Pine Ridge Rd / Apt# 608/ Huntsville / AL / 35801 DISCLAIMER: All contained herein are my opinions ------------------------------ Date: Mon, 11 Nov 91 19:53:07 +0000 >From: Fridrik Skulason Subject: Re: Only Scan Floppies? (general) In Message 7 Nov 91 20:27:42 GMT, jesse@gumby.Altos.COM (Jesse Chisholm AAC-RjesseD) writes: >It is a question of perception rather than actual effeciency. I 1 or 2 >minute check at power up time means there is time for a cup of coffee >before throwing the brain in gear. A perceived delay every time the >user runs a program is sand in the gearbox. Well, the delay should barely be perceivable - I did a small test, and a virus scan is possible in just below 1 second when a program is run from a floppy and around 0.1 second when I run a program from the hard disk. As a 0.1 second increase in loading time is not noticable, I see no reason why the programs should not always be checked when run - assuming the scanner is fast enough..... :-) - -frisk ------------------------------ Date: Mon, 11 Nov 91 15:09:00 -0500 >From: JTUCKER@VAX2.CSTP.UMKC.EDU Subject: SCAN & VSUM questions (PC) Greetings all, Could someone explain why SCAN goes over all .sys and all .prg files when scanning a drive??? Also where can I find the latest VSUM? Thanks, Joseph... ------------------------------ Date: 11 Nov 91 23:57:15 +0000 >From: mmartin@elbereth.rutgers.edu (Michael Martin) Subject: DIR-2 found in USA (PC) At Rutgers University in New Jersey, we have experienced an outbreak of the DIR-2 virus, identified by Macafee Version 7.9V84 as D2. I have not had the opportunity to try everything I could think of, so here's a summary. In a lab of 20 386SX running DOS 3.30, 4 machines were found to be infected. These machines showed more than 40 infected files, so I elected to low level format and reload. That worked fine. Applying a small amount of finesse, I attempted to clean an infected diskette, and found that if I executed scan from the same drive as the infected diskette "clean a: [D2] /many", that clean reported that it was unable to clean, that this virus might be a variant, and that I should contact Macafee associates. Having talked through the process with John Macafee, I find that if I copy clean to an uninfected C: drive, and "clean A:", that clean successfully removes the infection. John pointed out that after I booted from a known clean diskette, there was no reason not to copy clean to the hard disk and execute it from there. This works for floppy disks, I haven't tried it for a hard disk. mike martin ------------------------------ Date: Tue, 12 Nov 91 02:03:05 -0800 >From: Tanu Kartawiria Subject: McAfee84 fails on Stone, Azusa and Joshi? (PC) We are in the process of evaluating McAfee program, specifically the VSHIELD84. We have vshield installed on all machines's autoexec.bat with parameters '/m /chkhi /lock', however our computers are still infected by those 3 viruses. The Clean program was able to remove Stone and Azusa, but it failed to remove Joshi even though it reported that it was successful in removing Joshi. Isn't Vshield supposed to block those viruses from getting to our computer in the first place? Are we missing something? Or are we doing something wrong? I'd appreciate your comments and expertise. Or should I use different program? Thank you, tanu@beach.csulb.edu Library Computer Lab, Cal State Univ. Long Beach. ------------------------------ Date: Tue, 12 Nov 91 05:19:18 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: VShield problem with DOS 5.0 & QEMM? (PC) RY01@ns.cc.lehigh.edu (Robert Yung) writes: >Huh????? > I have MS-DOS 5 and QEMM 6.0 and VSHIELD/LH works fine for me. Are >you sure QEMM does not work with VSHIELD? I don't want to have set off >a time bomb... If you have a large enough contiguous block of upper memory, VSHIELD will load itself high with both QEMM and the /LH parameter being used. However, most people using QEMM don't. This is something that our programmers are looking into > BTW, when I use the /LH parameter, VSHIELD left a 0.4K stub in >conventional memory. Is that normal? Can I not have it??? 416 bytes, actually :-) This is a normal function of VSHIELD. > How about making VSHIELD device loadable so it gets to memory >first. You could run it as the first command in your AUTOEXEC.BAT. > How about packaging a dummy virus w/ the VIRUSCAN products to >test if everything is working. I'm not all that confident about VSHIELD >since I can never tell if it's working or not. The PC-MAG virus >seems nice... it fooled SCAN v70 (I think). You can check VSHIELD by running it with the /CV option to check validation codes and then modifying a validation coded file with a sector editor and trying to run it. If VSHIELD says that the file nas been modified and an infection may have occurred, well, then, you know that it's working. > THANKS! You're welcome. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Tue, 12 Nov 91 05:29:14 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: VSHIELD w/ MODEMS (PC) RY01@ns.cc.lehigh.edu (Robert Yung) writes: >Is it possible to get a virus by just connecting to a BBS? Not unless there was some special operation between the host computer and your terminal to automatically download and execute program code. > How about when I download? You could download a file infected with a virus, but you would still have to execute it. You could, of course, always run the VIRUSCAN program against anything you download before executing it to confirm that it is free of viruses (at least those that the SCAN program recognizes, of course). > Can Vshield check stuff as it downloads as with the /V (This should be /COPY (?)) >parameter (check copying for virus)? THANKS. Most files that are transmitted these days are in comrpessed form (e.g. ARC, ZIP, ZOO, LZH, etcetera). A file would have to be decompressed before it was scanned for a virus. This would be more a function of the VIRUSCAN program then VSHIELD. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Tue, 12 Nov 91 05:05:27 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Problem with Stoned virus and SCAN (PC) CEZAR@PLEARN.BITNET (Cezar Cichocki) writes: >Small (?|||) problems with STONED virus. SCAN detect it, I used CLEAN >program, it raport me that CLEANED and... STONED was on disk again || >I killed him with NoStoned programm (Polish cure for this virus). Hello Cezar, What exactly happened is unclear, but it sounds like you ran CLEAN-UP on a PC with the virus in memory, and after CLEAN-UP removed the virus from the disk it transfered back to the disk from memory.. The VIRUSCAN and CLEAN-UP programs will not check memory for the Stoned virus unless you tell them to with the /M option which tells them to check memory for prank/non-dangerous viruses. Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Tue, 12 Nov 91 04:58:10 +0000 >From: mcafee@netcom.com (McAfee Associates) Subject: Re: Questions about VIRLIST.TXT (PC) bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev) writes: >mcafee@netcom.com (McAfee Associates) writes: [some stuff deleted...] >> The Horse, Invader, and V101 viruses are what's known as multipartite >> ("multiple part") viruses. What that means is that they infect both >> files and the boot area of disks when they are accessed once the virus >> has become installed in memory. > >Sorry, but the Horse Boot virus is -NOT- a multi-partite virus! Oops! You're right. Apparently there is a file named HORSBOOT.COM in the library. A quick and dirty examination of it with Vern Berg's LIST program reveals it to be boot code. Apparently someone saved off the sector or compiled it... Regards, Aryeh Goretsky McAfee Associates Technical Support - -- - - - - McAfee Associates | Voice (408) 988-3832 | mcafee@netcom.com (business) 4423 Cheeney Street | FAX (408) 970-9727 | aryehg@darkside.com(personal) Santa Clara, California | BBS (408) 988-4004 | 95054-0253 USA | v.32 (408) 988-5190 | CompuServe ID: 76702,1714 ViruScan/CleanUp/VShield | HST (408) 988-5138 | or GO VIRUSFORUM ------------------------------ Date: Mon, 11 Nov 91 13:48:00 -0500 >From: Jack Holleran Subject: Call for Papers - Fifth Annual Computer Virus & Security Conference Call for Papers Fifth Annual Computer VIRUS & SECURITY Conference Dates: March 11-13, 1992 Place: Marriott Marquis and Summit Hotel, New York City TOPICS of Interest: * Prevention, Detection, and Recovery from Viruses and other Unauthorized Usage * Case studies of mainframe, PC and/or network security * Access control, accountability, audit, data recovery * Surveys or demonstrations of products & techniques * Particulars of LAN, UNIX, cryptology, military use * Computer crime, law, data liability, related contexts * US/International sharing of Research & Techniques PAPER Submission requirements: A submission may take the format of *EITHER* a long abstract (3-5 double spaced pages) *OR* a draft final paper. Final papers will usually be 6-20 pages in length. Four copies of the submission should be sent via regular Government Postal Service to the follow address: Program Chairman Computer VIRUS & SECURITY Conference NYU, DPMA Fin. Ind. Ch. 609 West 114th Street New York, New York 10025 The submission should be received by December 16, 1991. Please include a small photo and introductory biography not exceeding 50 words. Successful submitters or co-authors are expected to present in person. Presenters receive the Proceedings. PAPER FORMAT: Typed double spaced, with last name/page# below bottom line (may be handwritten), brief (to 200 words) abstract following four centered heading lines: TITLE (Caps); Name; Position Affiliation; Telephone, City/State/Zip/Country, Electronic mail address (optional). NOTIFICATION: Written (and where practicable) telephoned conformation will be initiated by Monday, January 27, 1992, to facilitate low cost travel. Those needing earlier confirmation should submit papers sooner and attach a note to this effect. You may be asked to perform specific revisions to be accepted. Nobody can guarantee you a place without an acceptable paper. CONFERENCE: There are five tracks. Don't hesitate to submit a presentation given elsewhere to a more specialized audience. Most of our attendees will find it new, interesting, and necessary. SPONSOR: DPMA Financial Industries Chapter in cooperation with ACM-SICSAC & IEEE-CS & ICCP ------------------------------ End of VIRUS-L Digest [Volume 4 Issue 218] ****************************************** Downloaded From P-80 International Information Systems 304-744-2253